<div dir="ltr">Hi Marco<div><br></div><div>SoftHSM does not cache the key object but reads it from the object store (in memory) for each operation (encrypt/decrypt). We made some changes on how the library detect changes to the object store on disc in version 2.4. It might be, in your case, that SoftHSM also loads the object from disc for each operation if there are new objects added during execution.</div><div><br></div><div><a href="https://github.com/opendnssec/SoftHSMv2/issues/358">https://github.com/opendnssec/SoftHSMv2/issues/358</a><br></div><div><br></div><div>Do you have the possibility to test SoftHSM 2.4?</div><div><br></div><div>// Rickard</div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 17, 2018 at 6:10 PM, Spadoni Marco <span dir="ltr"><<a href="mailto:Marco.Spadoni@italiaonline.it" target="_blank">Marco.Spadoni@italiaonline.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div lang="IT">
<div class="gmail-m_-9068467620583527199WordSection1">
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Hi all,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">we would like to have your help in order to understand the behavior of SoftHSM token described herein.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">We developed a multi-threaded, C++ implemented, FastCGI module for Apache embedding an instance of SoftHSM v2.0 token.
<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">The service, named HBM (as per: HSM Broker Module) accept HTTP POST requests (for encryption and decryption), and is executed on a bare-metal DELL server R-710 model, with the following characteristics:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span style="font-family:"Courier New"">2 CPU 6-core Intel(R) Xeon(R) CPU E5645 @2.40GHz<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Hyper-threading enabled<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">RAM: 96 GB @1333MHz DDR3 (8 GB banks)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">6 x 600 GB HDD in RAID 10, HW RAID (total end-user capacity: about 1.5 TBytes)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Operating System: Centos 7.2 - 64 bit<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">The installed version of the SoftHSM package is:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">softhsm.x86_64 2.1.0-2.el7 <wbr> @base<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">On another machine with the same characteristics, we sent into execution the Siege benchmarking utility, having populated the Siege input file with half HBM encryption commands, and half decryption ones.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">The Siege run lasts five minutes, and is executed at concurrency level set at 16; this is the command through which each Siege run is sent into execution:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">/home/kafka/siege/bin/siege -q -f/tmp/siege.in.$$ -l$PWD/h.log -m "$MESSAGE" -b -i –t300S –c16<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Each encryption and decryption request is associated to a (AES-256-CBC) key identifier, but, in the test, we always used the same key identifier.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">A request to the service is taken in charge by a freshly created thread, to which is associated a private (but non-volatile) cache containing the PKCS#11 handle of the key to be used to satisfy the request.
Thus, we do not need to execute the C_FindObject() PKCS#11 routine for each request: after some requests, new threads are likely to find their private cache yet filled by a previously executed thread (which dies after the request is serviced).<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">We measured the throughput reported by Siege after modifications (keys added to or removed from the SoftHSM token), and we have the following table, where the “HBM reboot” boolean indicates if, before the
corresponding run, the HBM service was rebooted or not.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Run ID | Number of keys | HBM reboot | Throughput<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 1 | 52 | Y | 12951.84<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 2 | 1 | N | 13456.31<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 3 | 52 | N | 3566.23<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 4 | 52 | Y | 12930.80<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 5 | 26 | N | 6427.34<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 6 | 38 | N | 4583.19<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 7 | 52 | N | 3505.33<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 8 | 52 | Y | 12865.59<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 9 | 26 | N | 6427.05<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""> 10 | 1 | N | 13310.76<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">As can be seen (going from run 2 to run 3) adding keys to the token without rebooting HBM causes a notable drop in throughput, and the same happens when removing keys (runs 4 to 5 and 8 to 9). However, when
only the (unique) used key is left in the token, the throughput rises again.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">This happens also when the HBM service is rebooted (runs 3 to 4, and 7 to 8).<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">We do not understand this behavior, and any hint to interpret it would be much appreciated.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Regards,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;line-height:normal">
<span lang="EN-US" style="font-family:"Courier New"">Marco Spadoni<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
<font face="Arial" color="Gray" size="1"><br>
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify <a href="mailto:postmaster@italiaonline.it" target="_blank">postmaster@italiaonline.it</a> .<br>
<a href="http://www.italiaonline.it" target="_blank">www.italiaonline.it</a> <br>
<br>
</font>
</div>
<br>______________________________<wbr>_________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.<wbr>opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/<wbr>mailman/listinfo/opendnssec-<wbr>user</a><br>
<br></blockquote></div><br></div></div></div>